Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
6937ae58
Commit
6937ae58
authored
Jul 27, 2021
by
Russell Dickenson
Committed by
Evan Read
Jul 27, 2021
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Move DAST job order topic
parent
2f5a0d41
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
30 additions
and
24 deletions
+30
-24
doc/user/application_security/dast/index.md
doc/user/application_security/dast/index.md
+30
-24
No files found.
doc/user/application_security/dast/index.md
View file @
6937ae58
...
@@ -54,28 +54,6 @@ results. On failure, the analyzer outputs an
...
@@ -54,28 +54,6 @@ results. On failure, the analyzer outputs an
[
`docker` executor
](
https://docs.gitlab.com/runner/executors/docker.html
)
.
[
`docker` executor
](
https://docs.gitlab.com/runner/executors/docker.html
)
.
-
Target application deployed. For more details, read
[
Deployment options
](
#deployment-options
)
.
-
Target application deployed. For more details, read
[
Deployment options
](
#deployment-options
)
.
### DAST job order
When using the
`DAST.gitlab-ci.yml`
template, the
`dast`
stage is run last as shown in
the example below. To ensure DAST scans the latest code, deploy your application
in a stage before the
`dast`
stage.
```
yaml
stages
:
-
build
-
test
-
deploy
-
dast
```
Be aware that if your pipeline is configured to deploy to the same webserver in
each run, running a pipeline while another is still running could cause a race condition
where one pipeline overwrites the code from another pipeline. The site to be scanned
should be excluded from changes for the duration of a DAST scan.
The only changes to the site should be from the DAST scanner. Be aware that any
changes that users, scheduled tasks, database changes, code changes, other pipelines, or other scanners make to
the site during a scan could lead to inaccurate results.
### Deployment options
### Deployment options
Depending on the complexity of the target application, there are a few options as to how to deploy and configure
Depending on the complexity of the target application, there are a few options as to how to deploy and configure
...
@@ -143,6 +121,34 @@ services: # use services to link the container to the dast job
...
@@ -143,6 +121,34 @@ services: # use services to link the container to the dast job
alias
:
yourapp
alias
:
yourapp
```
```
### DAST job order
When using the
`DAST.gitlab-ci.yml`
template, the
`dast`
stage is run last as shown in
the example below. To ensure DAST scans the latest code, deploy your application
in a stage before the
`dast`
stage.
```
yaml
stages
:
-
build
-
test
-
deploy
-
dast
```
Take care if your pipeline is configured to deploy to the same web server in each run. Running a
pipeline while another is still running could result in one pipeline overwriting the code from
another pipeline. The site to be scanned should be excluded from changes for the duration of a DAST
scan. The only changes to the site should be from the DAST scanner.
Changes to the site during a scan from any of the following could lead to inaccurate results:
-
Users.
-
Scheduled tasks.
-
Database changes.
-
Code changes.
-
Other pipelines.
-
Other scanners.
## DAST run options
## DAST run options
You can use DAST to examine your web application:
You can use DAST to examine your web application:
...
@@ -838,8 +844,8 @@ Chrome DevTools element selector tool is an effective way to find a selector.
...
@@ -838,8 +844,8 @@ Chrome DevTools element selector tool is an effective way to find a selector.
!
[
highlight
](
img/dast_auth_browser_scan_highlight.png
)
!
[
highlight
](
img/dast_auth_browser_scan_highlight.png
)
1.
Once highlighted, you can see the element's details, including attributes that would make a good candidate for a selector.
1.
Once highlighted, you can see the element's details, including attributes that would make a good candidate for a selector.
In this example, the
`id="user_login"`
appears to be a good candidate. You can use this as a selector as the DAST username field by setting
In this example, the
`id="user_login"`
appears to be a good candidate. You can use this as a selector as the DAST username field by setting
`DAST_USERNAME_FIELD: "id:user_login"`
.
`DAST_USERNAME_FIELD: "id:user_login"`
.
##### Choose the right selector
##### Choose the right selector
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment